2026

OAuth 2.1 is an authorization framework that allows users to grant third-party applications access to their data without sharing passwords. It consolidates the best practices from OAuth 2.0 and its security extensions (PKCE, token binding, refresh token rotation) into a single, simplified specification. FieldMCP uses OAuth 2.1 as its sole authentication mechanism.

How OAuth 2.1 Works in FieldMCP

FieldMCP implements a two-hop PKCE authorization flow:

1. Client to FieldMCP — Your AI application redirects the user to FieldMCP's /authorize endpoint with a PKCE code challenge. FieldMCP validates the request and initiates the upstream authorization.
2. FieldMCP to John Deere — FieldMCP redirects the user to John Deere's Okta identity provider. The user signs in with their John Deere credentials and grants consent.
3. Callback chain — John Deere redirects back to FieldMCP's /oauth/callback, which exchanges the authorization code for tokens. FieldMCP then issues its own tokens to your application.

Token Types

• Access tokens — ES256-signed JWTs with a 1-hour expiry, audience-restricted to the MCP endpoint. Passed as Bearer tokens in the Authorization header.
• Refresh tokens — Opaque 32-byte tokens, SHA-256 hashed before storage. Used to obtain new access tokens without re-prompting the user.

Why OAuth 2.1 (Not API Keys)

FieldMCP previously supported API keys but removed them entirely. OAuth 2.1 provides:

• Scoped access — Tokens are restricted to specific permissions, not blanket access
• Automatic expiry — Compromised tokens stop working after 1 hour
• User consent — The data owner explicitly approves each application's access
• Auditability — Token issuance and refresh events create a clear access trail

Verifying Tokens

FieldMCP publishes its public signing key at /.well-known/jwks.json. If you need to verify access tokens independently, fetch the JWKS and validate the ES256 signature, expiry, and audience claims.

Further Reading

• Authentication guide
• Machine-to-machine auth for service-to-service flows